But wait! Your precious database password is stored in plaintext at the top of your file for everyone to see!

Why is this a problem? Once you commit your files to GIT (or any kind of version control) they are there for everyone else who has access to your repository to see. Not only will all of your fellow developers have access to the credentials, but if your GIT repository was ever hacked or leaked your passwords will be trivial to steal!

What is the proper way to store secrets in the Serverless Framework?

AWS Secrets Manager to the Rescue

Luckily AWS has come to the rescue with the AWS Secrets Manager. The AWS Secrets Manager allows you to securely store your database passwords (or any other secrets such as API keys) inside AWS itself.

When your application needs a secret, it requests it from the AWS Secrets Manager and responds with the secret if you have the correct IAM permissions. This means that:

Only the call to the AWS Secrets Manager is stored inside your GIT repository and not the password itself.

Only users and roles who you have explicitly given IAM Secrets Manager permission to can read your password